Spring Security without authentication

Asked

Viewed 1,034 times

4

I have a system that already authenticates the user, and controls access to pages that require authentication, I need to use spring security to control access to pages by user rules and to control access to certain features, such as a user being allowed only to list records and not having to delete records.

I tried to deploy a login with spring securiy and pass the responsibility of authentication to my class that takes care of the login on the system, making an implementation of the Userdetailsservice, but I was not successful.

The tutorials I found on the web address authentication and give little attention to authorization, someone knows of some interesting link to my need?

My code is like this:

web xml.

<session-config>
    <session-timeout>30</session-timeout>
</session-config>
<context-param>
    <param-name>javax.faces.CONFIG_FILES</param-name>
    <param-value>/WEB-INF/faces-config.xml</param-value>
</context-param>
<display-name>Ultracar Web</display-name>
<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>server</param-value>
</context-param>
<!--<context-param>
 <param-name>javax.faces.FACELETS_REFRESH_PERIOD</param-name>
 <param-value>-1</param-value>
</context-param>
-->
<welcome-file-list>
    <welcome-file>Principal/index.xhtml</welcome-file>
</welcome-file-list>

<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring-security.xml            
    </param-value>
</context-param>

<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

spring-security:

<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:beans="http://www.springframework.org/schema/beans" 
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="Principal/index*" access="permitAll" />
    <intercept-url pattern="/Principal/*" access="permitAll"/>

    <form-login login-page="/Principal/index.xhtml"        
                         default-target-url="/"
                         authentication-failure-url="/"/>
    <logout logout-success-url="/" />
</http>


login page:

<?xml version='1.0' encoding='UTF-8' ?>

<h:head>
    <link rel="SHORTCUT ICON" href="../Imagens/logo.png"/>
</h:head>
<h:body>
    <ui:composition template="./../Principal/template_inicio.xhtml">            
        <ui:define name="content">
            <div class="slider">
                <div class="container" style="padding: 10px;">
                    <div class="col-lg-9 col-xs-9 col-sm-9">
                        <ui:include src="slider.xhtml"/>
                    </div>

                    <div class="col-lg-3 col-xs-3 col-sm-3" style="padding: 17px 0;background-color: #B3B3B3;">
                        <img class="img-responsive" style="margin: 0 auto" src="#{request.contextPath}/Imagens/logo.png" />

                        <h:form id="frmLogin" class="form-group" >

                                <div class="row">                                    
                                    <div class="col-lg-12 col-xs-12 col-sm-12 ">
                                        <h:outputLabel style="color: #303030;" value="#{Utils.getStrLanguage('Usuario')}:" />
                                    </div>
                                </div>

                                <div class="row">
                                    <div class="col-lg-12 col-xs-12 col-sm-12">
                                        <p:inputText value="#{MBControl.login}" required="true"
                                                     style="width: 100%;-moz-box-shadow: none !important; -webkit-box-shadow: none !important; 
                                                     box-shadow: none !important; -moz-border-radius: 0 !important; 
                                                     -webkit-border-radius: 0 !important; border-radius: 0 !important;"
                                                     requiredMessage="#{Utils.getStrLanguage('Usuario_requerido')}"/>
                                    </div>                                    
                                </div>

                                <div class="row">
                                    <div class="col-lg-12 col-xs-12 col-sm-12">
                                        <h:outputLabel style="color: #303030;" value="#{Utils.getStrLanguage('Senha')}:" />
                                    </div>                                    
                                </div>

                                <div class="row">
                                    <div class="col-lg-12 col-xs-12 col-sm-12">
                                        <p:password value="#{MBControl.senha}" required="true" id="txtSenha" styleClass="reset-style"
                                                    style="width: 100%;-moz-box-shadow: none !important; -webkit-box-shadow: none !important; 
                                                    box-shadow: none !important; -moz-border-radius: 0 !important; 
                                                    -webkit-border-radius: 0 !important; border-radius: 0 !important;"
                                                    requiredMessage="#{Utils.getStrLanguage('Senha_requerida')}"/>
                                    </div>                                   
                                </div>

                                <div class="row" style="margin-top: 15px;">
                                    <div class="col-lg-4 col-xs-6 col-sm-12">
                                        <p:commandLink id="btnLogin" styleClass="btn button-green" ajax="false" action="#{MBControl.logar()}" 
                                                       update="frmLogin" value="#{Utils.getStrLanguage('Login')}" style="border-radius: 0 !important;"/>
                                    </div>                                                     
                        </h:form>
                    </div>                        
                </div> 
            </div>
        </ui:define>
    </ui:composition>
</h:body>

I don’t know how to make spring call my login class, and then how to control permissions through spring.

From now on I thank you all for your help

  • 1

    Renan, I’ll follow up I’m also having problems with [tag:spring-security] but using annotations and Servlet API 3.1

  • Okay, any news I warn you.

1 answer

1

Hail!

I didn’t see in your setting where you are declaring the UserDetailsService that you implemented in your Spring context. I imagine you must have done this in another configuration file?

It is necessary to declare its implementation as a bean and then add it to the AuthenticationManager which you are using, which in this case is the login form.

Add this snippet to your setup and see if it works:

<authentication-manager>
  <authentication-provider user-service-ref="ID_DO_BEAN_DA_SUA_IMPLEMENTACAO">
  </authentication-provider>
</authentication-manager>

Example taken from of this article.

Regarding authorization, I suggest you approach with Spring Security ACL. See in the official documentation how it works. There are few examples on the web, but you can understand how it works using Javadoc, the few articles and the official documentation.

Once you have configured the ACL, you can exercise control of access to your domain data according to the user profile of the application. However, review the application design for you to handle this method as little as possible.

The "ideal" would be if you controlled user access through endpoints of its implementation. Ex: /admin only ROLE_ADMIN, /gerente only ROLE_GERENTE. Of course, this is not always possible, as a combo that will come with items that only Level 1 Manager can see... but try to focus on user interaction and the flow of your application pages. Easier to maintain in the future.

If you still have questions, post in the comments that I try to answer.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.